[arin-ppml] ARIN discontinuing DNSSEC capability to legacy holders

Paul Ebersman list-arin-ppml at dragon.net
Sat Oct 6 02:36:51 EDT 2018


rfg>    1)  I confess that I know virtually nothing about DNSSEC.  I do
rfg>        know one thing however, which is that there's such a thing,
rfg>        in the world of domain names, as a "self signed" SSL
rfg>        certificate.

DNSSEC follows a chain of trust from the root or trust anchor through
the whole chain. If the parent doesn't sign, it won't valiate. So no, no
equivalent of self-signed SSL certs

And the benefit isn't just to the owner of the prefix. As several folks
have said, if I want to know something about the in-addr zone data,
DNSSEC signing has value to anyone doing DNSSEC validation, not just the
zone or prefix owner. There is value to the entire internet in the whole
in-addr tree being signed at some point.



More information about the ARIN-PPML mailing list